In kvm_lapic_sync_from_vapic and kvm_lapic_sync_to_vapic there is the potential to corrupt kernel memory if userspace provides vapic_addr address that is at the end of a page.
An unprivileged local user could use this flaw to crash the system or, potentially, escalate their privileges on the system.
Acknowledgements:
Red Hat would like to thank Andrew Honig of Google for reporting this issue